Before
starting!This essay is for knowledge purposes
only!!Software developers spend much time in making their programs.
They live from the money we give them! Please buy good software!!

I. What is it?

The title of this essay stands for itself: inserting code
into a program. It consists of: finding a suitable place, inserting the
code, calling the inserting code, returning to the orginal program.

II. What is it used for?

Most of the time it's used to add functionality to a program or to
crack a packed program without unpacking it. You may wonder: "Why doing
difficult code insertion when you can unpack the program and then crack
it?". Well, because most packed .exe files become quite big and it would
take too much time (on slow connections) to upload/download the whole
program, in comparison to a < 5 KB crack.

III. How does it work?

Imagine we have this packed program called packed.exe. You have found
out that at offset 415000 there's a registered-or-not-jump that has to be
NOP-ed out. As the program is packed, it 's impossible to do that in a hex
editor as you will just NOP out important, compressed data. Anyway, first
of all we have to find empty space in the .exe file which we can use to
add our own code. Just scroll around in a hex-editor and search for "00"
or "90" as hex values. Please be warned that you don't use empty space
that is used to write unpacked code to. You may have to give it a few
tries before you 've found a suitable place to add your code. Okay, now
before we let the program jump to our own inserted routine, the program
gotta be fully unpacked. Therefore we have to find the end of the
unpacking routine. (if you can't find this, or you don't know what i'm
talking about, read Volatility's essay on manually unpacking!). When
you've found the end of the unpacking routine, you have to insert a jump
to your inserted code. At the end of your inserted code: jump back. You
can also put a call at the end of the unpacking routine and put a 'ret' at
the end of your inserted code. Hmmmm, I can imagine that if you're a
beginner cracker this all can sound pretty confusing.Try to follow
this scheme:

[original code]...end of
unpacking routine... push 401000 pop esiret

[modified code]...end of unpacking
routine...jmp 42000 ;jump to an empty location you've found (note that
42000 is a bogus value!) pop esi ret........ 42000:
push 401000 ;we used this instruction for our jump, so don't forget to
insert it here! push eax ;push ALL registers you will use in your
inserted code!! mov al, 90 ;put the hex value for NOP in al mov
byte ptr [00415000], al ;clear out the registered-or-not-jump mov byte
ptr [00415001], al ;same here, for the second byte of the jump pop eax
jmp back ;with 'back'= the offset of the 'pop esi' instruction

That's it!

IV. In the end

Voilą, this was the easy part. More difficult is finding the protection
of the program! Because (don't forget) you can't use a disassembler. That
way you'll have to do everything with SoftICE. The best example I can give
is my tutorial on ACDSee 3.0. Go and read it!